#!/usr/bin/env bash
# Check all UDM Pro–related configuration before running E2E validation.
# Verifies: port forwarding (public→NPMplus), DNS, NPMplus reachability.
# Usage: ./scripts/check-udm-pro-config-before-e2e.sh

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"

# Load .env for PUBLIC_IP, NPM_HOST
if [ -f .env ]; then
  set +u
  # shellcheck source=/dev/null
  source .env 2>/dev/null || true
  set -u
fi

PUBLIC_IP="${PUBLIC_IP:-76.53.10.36}"
NPM_HOST="${NPM_HOST:-192.168.11.167}"
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.11}"

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_ok() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_fail() { echo -e "${RED}[✗]${NC} $1"; }
log_section() { echo -e "\n${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}\n${CYAN}$1${NC}\n${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}\n"; }

FAIL=0

echo ""
log_section "UDM Pro configuration check (before E2E)"
echo "Public IP (WAN):  $PUBLIC_IP"
echo "NPMplus (LAN):    $NPM_HOST"
echo "Proxmox host:     $PROXMOX_HOST (VMID 10233)"
echo ""

# ─── 1. UDM Pro port forwarding (manual checklist) ───
log_section "1. UDM Pro port forwarding (verify in UniFi UI)"
echo "In UniFi Network → Settings → Firewall & Security → Port Forwarding, ensure:"
echo ""
echo "  Rule 1: NPMplus HTTP"
echo "    • Public IP: $PUBLIC_IP (or WAN interface)"
echo "    • Public Port: 80"
echo "    • Forward to: $NPM_HOST"
echo "    • Private Port: 80"
echo "    • Protocol: TCP"
echo "    • Enabled: Yes"
echo ""
echo "  Rule 2: NPMplus HTTPS"
echo "    • Public IP: $PUBLIC_IP (or WAN interface)"
echo "    • Public Port: 443"
echo "    • Forward to: $NPM_HOST"
echo "    • Private Port: 443"
echo "    • Protocol: TCP"
echo "    • Enabled: Yes"
echo ""
log_info "If either rule is missing or points to 192.168.11.166, update to $NPM_HOST (only .167 is used)."
echo ""

# ─── 2. DNS resolution (RPC hostnames → PUBLIC_IP) ───
log_section "2. DNS resolution (RPC hostnames → $PUBLIC_IP)"
RPC_HOSTS=(
  "rpc-http-pub.d-bis.org"
  "rpc.d-bis.org"
  "rpc.public-0138.defi-oracle.io"
  "rpc.defi-oracle.io"
  "explorer.d-bis.org"
)
for h in "${RPC_HOSTS[@]}"; do
  res=$(getent ahosts "$h" 2>/dev/null | awk '/STREAM/ {print $1; exit}' || true)
  if [ -n "$res" ]; then
    if [ "$res" = "$PUBLIC_IP" ]; then
      log_ok "$h → $res"
    else
      log_warn "$h → $res (expected $PUBLIC_IP)"
    fi
  else
    # try dig/host if getent not available
    res=$(dig +short A "$h" 2>/dev/null | head -1 || true)
    if [ -n "$res" ]; then
      if [ "$res" = "$PUBLIC_IP" ]; then
        log_ok "$h → $res"
      else
        log_warn "$h → $res (expected $PUBLIC_IP)"
      fi
    else
      log_fail "$h → could not resolve"
      ((FAIL++)) || true
    fi
  fi
done
echo ""

# ─── 3. Public IP reachability (80, 443) ───
log_section "3. Public IP reachability ($PUBLIC_IP:80, $PUBLIC_IP:443)"
for port in 80 443; do
  if timeout 5 bash -c "echo >/dev/tcp/$PUBLIC_IP/$port" 2>/dev/null; then
    log_ok "$PUBLIC_IP:$port reachable"
  else
    if curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "http://$PUBLIC_IP:$port/" 2>/dev/null | grep -q '[0-9]'; then
      log_ok "$PUBLIC_IP:$port responds (HTTP)"
    else
      log_warn "$PUBLIC_IP:$port not reachable from this host (run E2E from LAN or internet)"
    fi
  fi
done
echo ""

# ─── 4. NPMplus direct (if on LAN) ───
log_section "4. NPMplus direct ($NPM_HOST:80, 443, 81)"
for port in 80 81 443; do
  proto="http"
  [ "$port" = "443" ] && proto="https"
  code=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 3 "${proto}://${NPM_HOST}:${port}/" 2>/dev/null || echo "000")
  if [ "$code" != "000" ] && [ -n "$code" ]; then
    log_ok "$NPM_HOST:$port → HTTP $code"
  else
    log_warn "$NPM_HOST:$port not reachable from this host (normal if not on 192.168.11.x)"
  fi
done
echo ""

# ─── 5. Proxmox / NPMplus container (optional SSH) ───
log_section "5. NPMplus container status (optional)"
if command -v ssh >/dev/null 2>&1; then
  status=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@"$PROXMOX_HOST" "pct status 10233 2>/dev/null" | awk '/status:/ {print $2}' || echo "unknown")
  if [ "$status" = "running" ]; then
    log_ok "VMID 10233 (NPMplus) is running on $PROXMOX_HOST"
  else
    log_warn "VMID 10233 status: $status (or SSH failed)"
  fi
else
  log_info "SSH not available; skip Proxmox check."
fi
echo ""

# ─── Summary ───
log_section "Summary"
echo "• Port forwarding: verify in UniFi UI (76.53.10.36:80/443 → $NPM_HOST:80/443)."
echo "• DNS: RPC hostnames should resolve to $PUBLIC_IP."
echo "• Reachability: run E2E from a host that can reach $PUBLIC_IP (LAN or internet)."
echo "• Docs: docs/04-configuration/UDM_PRO_CONFIGURATION_CHECKLIST.md, docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md"
echo ""

if [ "$FAIL" -gt 0 ]; then
  log_fail "Some checks failed. Fix DNS or port forwarding before running E2E."
  exit 1
fi

log_ok "UDM Pro config check complete. Run E2E when ready: ./scripts/run-full-e2e-validation.sh"
exit 0